Trusted Solaris Installation and Configuration

How to Create Users to Assume Roles

The install team in the root role creates users to assume the roles secadmin, admin, and primaryadmin. Where site security policy permits, the team can choose to create one user who can assume more than one administrative role.

Prerequisite: Administrative roles must be created before creating users who will assume those roles.

To Create a User

  1. In the root role, at label ADMIN_LOW, invoke the Solaris Management Console action from the Application Manager.

    See "To Initialize the SMC Server" if you are unsure of how to start the SMC server.

  2. Select the appropriate toolbox.

    See "To Select a Toolbox of the Appropriate Scope" for assistance.

  3. Click Trusted Solaris Configuration, then double-click Users.

  4. Enter the role password at the prompt.

  5. Double-click User Accounts.


    Note -

    If toolbox icons display as red stop signs, the toolboxes will not load. To load them, do Step 4.


  6. Choose Add User > Use Wizard from the Action menu.


    Caution - Caution -

    Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.


  7. Begin to create a user who can assume the secadmin role and use Table 3-4 to fill out the fields.

    The Add User > Use Wizard dialog boxes create most aspects of a user.

  8. After creating the user, double-click the created user to modify some user properties.

    Use Table 3-5 as a guide.

  9. Read the (Recommended) Values columns for guidance.

    Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.


    Note -

    When the install team chooses a password, the team must select one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.


    Table 3-4 User Values in Add User Dialog

    Tab 

    User Field 

    (Recommended) Value 

    User Name 

    User name 

     

    Full name 

     

    Description 

    No proprietary info here. 

    User ID number 

    (1001 or higher) 

    Password 

    Set password by Type in or Choose from list 

    Assign a password of at least 6 alphanumeric characters. 

     

    Confirm 

     

    Group 

    Primary group 

    Staff 

    Home directory 

    Server 

    home directory server

    Path 

     

    Mail 

    Server 

     

    Path 

     

    For the user who can assume the secadmin role, select the Always Available for Account Availability under General, below. Choose an appropriate account availability for other users.

    Table 3-5 User Values in Properties/Modify Dialog

    Tab 

    User Field 

    (Recommended) Value 

    General 

    Shell 

     

     

    Account Availability 

    Always Available 

    Password 

    Set password by Type in or Choose from list 

    (Set in Table 3-4.)

     

    Update password by Choose from list or Type in 

     

    Group 

    Additional Groups 

     

    Roles 

    Available Roles and Assigned Roles 

    secadmin 

    Trusted Solaris Attributes 

    Minimum Label: Edit 

    Default value is correct. 

    Clearance: Edit 

    Default value is correct. 

    View: External or Internal 

     

     

    Label: Show or Hide 

    If your site is a no-label site, choose Hide. 

    Account Usage 

    Idle time 

     

    Idle action 

     

     

    Lock account ... 

    No -- for user who will assume a role 

    Rights 

    Available and Granted 

    Enable Login ... See Note below.

    Audit 

    Excluded and Included 

    Set flags per site security policy 


    Note -

    Although Basic Solaris User does not appear in the Granted column, this right is assigned automatically to a user that is created using the Add User wizard. Do not assign the right explicitly.


  10. Create and modify another user, one who can assume the admin role.

  11. (Optional) Create and modify third and fourth users to assume the primaryadmin and oper roles, and provide them with unique IDs, and appropriate Rights.


    Note -

    If site security permits, users can assume more than one role.


    These first users should each have at least the Enable Login right -- user can enable logins after a workstation reboot.

    After checking your site security policy, you may want to add the Convenient Authorizations right -- user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the workstation.

  12. Return to the procedure and chapter you are working from.


Note -

Setting up users is a two-role, trusted procedure. See Table 1-1 for the security defaults that the security administrator can set. Once the security defaults are set, the system administrator can set up user accounts.

In a multilabel environment, users are set up with a useful file, Failed Cross Reference Format. See "Managing Initialization Files" in Trusted Solaris Administrator's Procedures for further discussion.


See "Using the SMC User Manager to Manage User and Role Accounts and Profiles" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.